Nissan Leaf's Naked APIs

David

Feb 26, 2016

This week the popular Nissan Leaf was in the headlines, but not in a good way. Security researchers Scott Helme and Troy Hunt demonstrated how any Leaf can be easily hacked. The duo hacked into Helme’s Leaf with little more than its vehicle identification number, as described on Hunt’s blog.

In Nissan’s case, shortcuts taken on API infrastructure produced a very bad outcome, and raises a lot of questions. What’s the brand damage to Leaf and Nissan? How much customer trust and goodwill has been lost? How much employee time will be squandered fixing the problem, answering questions, doing root cause analysis, reviewing procedures, assigning blame, and dealing with lawyers?

On the one hand you have to applaud Nissan. Car owners want the convenience of being able to control and monitor car functions via their mobile devices and Nissan built an app for Leaf owners—the company is executing a digital strategy.

On the other hand, clearly anyone providing a mobile app needs to think about securing the underlying APIs that app is built on! Building an app on naked APIs is hardly a sound strategy.

If you provide APIs for consumer experiences, you should ask yourself:

How do you protect your backend from misuse and abuse?

How do you identify clients? Authenticate and authorize use?

What kind of rate limiting do you need? How do you prevent your system from being overrun?